The present invention relates to a method and apparatus for detection of an attack such as a pre-attack on a computer network by an unauthorized user.
Security is important to the manager of a modern computer network, be it a LAN (Local Area Network) or a WAN (Wide Area Network). Networks are usually attached to the Internet. Therefore, there is a constant risk that some malicious person from outside of a network may attempt to obtain access to the network and use this access to disrupt normal network activity or gain access to private information.
Many network managers use xe2x80x98firewallsxe2x80x99 (a device which filters traffic entering and leaving a computer network to protect it from malicious users) to protect their network from people outside the network. However, for many reasons firewalls are not suitable for all types of networks, since they may restrict the ability of legitimate users to use the network and even where they are used, it is useful to have an additional level of security. We will describe a technique for detecting when someone from outside a network is attempting to access the network in an unauthorized way. The technique does not require a firewall in order to operate, and thus can be used as a complement to existing firewalls. For users who do not use firewalls, the method described offers a way to try to detect unauthorized or malicious accesses to the network.
All devices on a network are identified by an xe2x80x98addressxe2x80x99 (eg an IP address). When a device wants to send data to another device, it typically marks the data with the destination address of the device it wants to communicate with and then puts this data onto the network, where is it forwarded to the correct device based on the destination address.
When a malicious person wishes to attack a network, it is usual for them to carry out what is referred to as a xe2x80x9cpre-attackxe2x80x9d on the network, that is to try to identify addresses which identify actual devices within the network. It would be useful to be able to deal with this problem.
Thus the arrangement of the invention allows the network to identify such a pre-attack.
The present invention provides a computer program on a computer readable medium or embodied in a carrier wave, for detecting a potential attack on a computer network, comprising the following steps:
(a) from network traffic data which includes source and destination addresses of traffic on the network, make a list E of all the source addresses in the data which are not allocated to the network and which are not in a list X;
(b) choose a first address in list E;
(c) count a number of data entries which include A and B and which represent network traffic passing between a source address A chosen from list E and a destination address B allocated to the network;
(d) if the number of such data entries is more than T, output address A, thereby identifying address A as a potential source of attack;
(e) determine if there are any entries in list E left to process;
(f) if yes, move on to the next address in list E and repeat steps (c) to (e);
(g) if no, stop.
The present invention also provides a method for detecting a potential attack on a computer network, the method comprising the steps of the computer program outlined.